Hello Tim, We should not really bring any forum conversations here, but I see that Adolf has asked you to…
> On 23 May 2025, at 16:33, Tim Zakharov <[email protected]> > wrote: > > At Status->Network (other)->Firewall Hits Graph I sometimes see values in the > 'To Hostile Networks' line beneath the graph, which tells me a green IP > attempted to send traffic to a Hostile Network. In a forum conversation with > Adolf Belka, I was guided to Export Firewall Logs for the day the event > occurred and search for DROP_HOSTILE. I did, but could only come up with RED > traffic, not GREEN, during that time frame. For example: >> 2:13:11 DROP_HOSTILE IN= OUT=red0 SRC=70.164.192.226 DST=202.61.85.215 >> LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=17688 DF PROTO=TCP SPT=57844 DPT=80 >> WINDOW=42340 RES=0x00 SYN URGP=0 > Where SRC is my RED IP and DST is the hostile network. This connection most likely went through the proxy then. In that case, we won’t be able to see which host has made that connection from the firewall log. This is because the client in the local network contacts the proxy using the IP address of the firewall itself and then sends a request to the proxy. The proxy resolves the DNS name the client asked to connect to and will initiate the connection. Since the destination is on the internet it will use its best address which would be the RED IP address. Since they are two separate connections, the firewall does not know that there is a dependency. If you have logging enabled, the proxy would have logged the request including the destination IP address and the source IP address of the client. If you are not using the proxy, you will see the internal IP address of the host because NAT comes after the connection being accepted. > I have seen DROP_HOSTILE IN=green0 traffic before, but it was while browsing > through Logs->FWLoggraphs (IP) when I happened to randomly click on a green > IP that had attempted a connection with a hostile network. > > I would like to find a quick, reliable way to see which GREEN IP attempted to > connect to a hostile network. Any ideas? > > For reference, here is the forum post I referenced above: > https://community.ipfire.org/t/how-to-find-green-ip-that-is-sending-traffic-to-hostile-network/14098 > > -Michael
